b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Annual Assessment of the Internal Revenue\n                  Service Information Technology Program\n\n\n\n                                      September 29, 2011\n\n                              Reference Number: 2011-20-106\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                 HIGHLIGHTS\n\n\nANNUAL ASSESSMENT OF THE                             The IRS\xe2\x80\x99s Fiscal Year 2011 financial plan for its\nINTERNAL REVENUE SERVICE                             Information Technology Program and operations\nINFORMATION TECHNOLOGY                               remained relatively flat from its Fiscal Year 2010\nPROGRAM                                              budget of $1.8 billion. The Fiscal Year 2011\n                                                     financial plan included about $264 million to go\n                                                     towards the Modernization Program. As of\nHighlights                                           July 2011, the Modernization and Information\n                                                     Technology Services organization employed\n                                                     over 7,300 individuals.\nFinal Report issued on\nSeptember 29, 2011                                   Since last year\xe2\x80\x99s assessment, significant\n                                                     systems have been developed and implemented\nHighlights of Reference Number: 2011-20-106          to improve the tax return processing\nto the Internal Revenue Service Chief                environment, and additional improvements and\nTechnology Officer.                                  upgrades are being developed and\n                                                     implemented. As such, TIGTA supports the\nIMPACT ON TAXPAYERS                                  IRS\xe2\x80\x99s request to downgrade the Modernization\nThe Internal Revenue Service (IRS) relies            Program material weakness. However,\nextensively on its computer systems to carry out     computer security remains a material weakness,\nthe responsibilities of administering our Nation\xe2\x80\x99s   and the IRS needs to continue its emphasis and\ntax laws. As such, it must ensure its computer       attention on becoming a security-conscious\nsystems are effectively secured to protect           organization.\nfinancial and taxpayer data. The IRS also needs      TIGTA also noted that the information\nto ensure that it leverages technological            technology operations program has\nadvances to update its computer operations and       implemented best practice principles, such as\nimprove customer satisfaction and that the           the Information Technology Infrastructure\ncomputer systems supporting tax administration       Library, designed to improve efficiency and\ncontinue to operate efficiently and effectively.     effectiveness, and has taken action to improve\n                                                     the energy efficiency of its desktop computer\nWHY TIGTA DID THE AUDIT\n                                                     equipment. While TIGTA is encouraged by\nThis audit was initiated as part of TIGTA\xe2\x80\x99s Fiscal   these actions, the IRS has opportunities for\nYear 2011 Annual Audit Plan and addresses the        making improvements and measuring its results.\nmajor management challenges of Security and\nModernization. TIGTA annually assesses and           WHAT TIGTA RECOMMENDED\nreports on the adequacy and security of IRS          Because this was an assessment report of the\ninformation technology, as required by the IRS       IRS\xe2\x80\x99s Information Technology Program through\nRestructuring and Reform Act of 1998.                Fiscal Year 2011, TIGTA did not offer any\n                                                     recommendations. IRS officials were provided\nWHAT TIGTA FOUND\n                                                     an opportunity to review and comment on the\nThe Business Systems Modernization Program           report.\n(Modernization Program) is a complex effort to\nmodernize IRS technology and related business\npractices. It involves integrating thousands of\nhardware and software components while\nreplacing outdated technology and maintaining\nthe current tax system. The IRS would not be\nable to deliver the Modernization Program\nwithout the support of the Cybersecurity and\nEnterprise Operations organizations.\n\x0c                                                 DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               September 29, 2011\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                         Michael R. Phillips\n                               Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Annual Assessment of the Internal Revenue\n                               Service Information Technology Program (Audit # 201120003)\n\n This report presents the results of our annual assessment of the Internal Revenue Service (IRS)\n Information Technology Program. The overall objective of this review was to assess the status\n of the IRS\xe2\x80\x99s Information Technology Program since June 2010, as required by the IRS\n Restructuring and Reform Act of 1998.1 This review is part of our Fiscal Year 2011 Annual\n Audit Plan and addresses the major management challenges of Security and Modernization.\n Copies of this report are also being sent to the IRS managers affected by the report findings.\n Please contact me at (202) 622-6510 if you have questions or Alan R. Duncan, Assistant\n Inspector General for Audit (Security and Information Technology Services), at (202) 622-5894.\n\n\n\n\n 1\n  Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C.,31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n\x0c                                Annual Assessment of the Internal Revenue Service\n                                         Information Technology Program\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          Modernization Program Background ........................................................... Page 4\n          The Modernization Program Continues to Deliver Business Value\n          and Benefits to Taxpayers ............................................................................. Page 4\n          The Modernization Program Demonstrates Improvements in\n          Delivering Planned Capabilities ................................................................... Page 7\n          The Modernization Program Addressed Process\n          and Control Weaknesses ............................................................................... Page 11\n          Information Security Background................................................................. Page 13\n          Some Progress Is Being Made to Improve Information Security ................. Page 14\n          Continued Emphasis and Attention Is Needed to Allow the Internal\n          Revenue Service to Become a Security-Conscious Organization ................ Page 18\n          Information Technology Operations Background ........................................ Page 20\n          The Information Technology Operations Program Has Improved\n          Its Efficiency and Effectiveness.................................................................... Page 20\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 26\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 28\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 29\n          Appendix IV \xe2\x80\x93 Listing of Treasury Inspector General for Tax\n          Administration Reports Reviewed ................................................................ Page 30\n          Appendix V \xe2\x80\x93 Project Cost and Schedule Variances .................................... Page 33\n          Appendix VI \xe2\x80\x93 Glossary of Terms ................................................................ Page 34\n\x0c        Annual Assessment of the Internal Revenue Service\n                 Information Technology Program\n\n\n\n\n                  Abbreviations\n\nCADE        Customer Account Data Engine\nFY          Fiscal Year\nIBM         International Business Machines Corporation\nIRS         Internal Revenue Service\nMeF         Modernized e-File\nMITS        Modernization and Information Technology Services\nTIGTA       Treasury Inspector General for Tax Administration\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) Restructuring and Reform Act of 19981 requires the\nTreasury Inspector General for Tax Administration (TIGTA) to annually evaluate the adequacy\nand security of the IRS Information Technology Program. This report provides our assessment\nof the IRS\xe2\x80\x99s Information Technology Program and operations.\nAs of July 2011, the Modernization and Information Technology Services (MITS) organization\nemployed over 7,300 individuals. Figure 1 provides a breakdown of MITS employees by their\nrespective business unit functions.\n                     Figure 1: Number of MITS Employees by Business Unit\n                                              (in descending order)\n\n\n     MITS Business Unit                                                              Number of Employees\n\n     Applications Development                                                                   2,397\n     Enterprise Operations                                                                      1,748\n     End Users Equipment & Services                                                             1,295\n     Enterprise Networks                                                                         510\n     Cybersecurity                                                                               410\n     Enterprise Services                                                                         287\n     Strategy & Planning                                                                         270\n     Affordable Care Act \xe2\x80\x93 Program Management Office                                             267\n     Management Services                                                                          73\n     Customer Account Data Engine Program Management Office                                       68\n     Equal Employment Opportunity and Diversity                                                   7\n     Deputy Chief Information Officer for Strategy/Modernization                                  4\n     Deputy Chief Information Officer for Operations                                              3\n                                       TOTAL                                                    7,339\n    Source: Treasury Integrated Management Information System as of July 2011.\n\n\n1\n Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n                                                                                                             Page 1\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nThe IRS\xe2\x80\x99s Fiscal Year (FY) 2011 financial plan for its Information Technology Program and\noperations remained relatively flat from its FY 2010 budget of $1.8 billion. In addition, the\nFY 2011 financial plan included about $264 million to go towards the Business Systems\nModernization Program (Modernization Program).\nWhile the IRS\xe2\x80\x99s Modernization Program encompasses dozens of projects and systems, the core\nprojects that the IRS refers to as the \xe2\x80\x9cPillars of Modernization\xe2\x80\x9d are the:\n    \xe2\x80\xa2   Current Customer Account Data Engine (CADE) and CADE 22 \xe2\x80\x93 the databases and\n        related applications that include applications for daily posting, settlement, maintenance,\n        refund processing, and issue detection for taxpayer tax account and return data.\n    \xe2\x80\xa2   Modernized e-File (MeF) \xe2\x80\x93 an electronic filing platform used for electronic filing of tax\n        returns for both business and individual taxpayers.\n    \xe2\x80\xa2   Account Management Services/Integrated Data Retrieval System \xe2\x80\x93 systems that provide\n        IRS employees with the ability to view, access, update, and manage taxpayer accounts.\nThe IRS would not be able to deliver these core projects without the support of the Cybersecurity\nand Enterprise Operations organizations. The Cybersecurity organization is responsible for\nensuring the IRS\xe2\x80\x99s compliance with Federal statutory, legislative, and regulatory requirements\ngoverning measures to assure the confidentiality, integrity, and availability of IRS electronic\nsystems, services, and data. The Enterprise Operations organization supports the MITS\norganization by providing efficient, cost-effective, secure, and highly reliable computing\n(mainframe and server) services for all IRS business entities and taxpayers.\nIn March 2010, Congress enacted legislation that will significantly impact the work performed\nby the MITS organization. The Patient Protection and Affordable Care Act3 was signed into law\nand later amended on March 30, 2010, by the Health Care and Education Reconciliation Act4\n(hereafter referred to as the Affordable Care Act). At least 42 provisions add to or amend the\nInternal Revenue Code, and at least 8 require the MITS organization to build new processes that\ndo not exist in current tax administration. The IRS realized the vastness of the work required by\nthe Affordable Care Act and, in June 2010, created a new organization called the Associate Chief\nInformation Officer Affordable Care Act \xe2\x80\x93 Program Management Office (hereafter called the\nProgram Management Office) to mitigate any impact to its ongoing development efforts and to\nensure successful delivery of the required new systems. The Program Management Office will\nbe accountable for achieving the defined goals and for managing and integrating the required\ncomponents, including building new services and applications, enhancing and extending existing\napplications, and ensuring that the appropriate governance and control processes are followed\nthroughout implementation.\n\n2\n  See Appendix VI for a glossary of terms.\n3\n  Pub. L. No. 111-148, 124 Stat. 119 (2010).\n4\n  Pub. L. No. 111-152, 124 Stat. 1029.\n                                                                                             Page 2\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\nThe compilation of information for this report was conducted at the TIGTA office in Atlanta,\nGeorgia, during the period May through July 2011. The information presented in this report is\nderived from TIGTA audit reports issued since June 2010. We also reviewed relevant\nGovernment Accountability Office reports relating to IRS information technology issues. These\nprevious audits and our analyses were conducted in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. One of our audits is on the Federal Information\nSecurity Management Act.5 For this review, we conduct an annual independent evaluation of\ninformation security policies, procedures, and practices as well as evaluate compliance with\nFederal Information Security Management Act requirements. We believe that the evidence\nobtained provides a reasonable basis for our finding and conclusions based on our audit\nobjective. Detailed information on our audit objective, scope, and methodology is presented in\nAppendix I. Major contributors to the report are listed in Appendix II. A listing of the audit\nreports used in this assessment is presented in Appendix IV.\n\n\n\n\n5\n    44 United States Code (U.S.C.) sections (\xc2\xa7\xc2\xa7) 3541\xe2\x80\x933549.\n                                                                                        Page 3\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n\n                                Results of Review\n\nModernization Program Background\nFor FY 2011, the TIGTA cited that modernization of IRS technology and business processes was\nthe second top challenge for the IRS. The Modernization Program is a complex effort to\nmodernize IRS technology and related business processes. It involves integrating thousands of\nhardware and software components while replacing outdated technology and maintaining the\ncurrent tax system. The Modernization Program receives separate funding from Congress.\nSince its inception in FY 1999, the IRS has received over $3 billion. The IRS projected it\nneeded $334 million for the Modernization Program in its FY 2012 budget request.\nFactors that characterize the IRS\xe2\x80\x99s complex information technology environment include widely\nvarying inputs from taxpayers (from simple concise records to complex voluminous documents),\nseasonal processing with extreme variations in processing loads, transaction rates on the order of\nbillions per year, and data storage measured in trillions of bytes. The Modernization Program is\nworking toward providing improved benefits to taxpayers that include:\n   \xe2\x80\xa2   Issuing refunds, on average, 5 days faster than existing legacy systems.\n   \xe2\x80\xa2   Offering electronic filing capability for individuals, large corporations and small\n       businesses, tax-exempt organizations, and partnerships, with dramatically reduced\n       processing error rates.\n   \xe2\x80\xa2   Delivering web-based services for tax practitioners, taxpayers, and IRS employees.\n   \xe2\x80\xa2   Providing IRS customer service representatives with faster and improved access to\n       taxpayer account data with real-time data entry, validation, and updates of taxpayer\n       addresses.\n\nThe Modernization Program Continues to Deliver Business Value and\nBenefits to Taxpayers\nData and technology are central to the future of tax administration. The IRS is on schedule to\ndeliver the CADE 2 system for the 2012 Filing Season. Completion of the CADE 2 system is\nthe cornerstone of IRS information technology modernization that will expedite refunds to\nmillions of individual taxpayers. It is also a prerequisite for other major initiatives, such as\nexpansion of online paperless services. The ability of the IRS to support increasingly complex\ntaxpayer service and compliance initiatives will be severely limited until the new taxpayer\naccount database is completed. IRS modernization efforts continue to focus on core tax\n\n                                                                                             Page 4\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nadministration systems designed to provide more sophisticated tools to taxpayers and to IRS\nemployees. The Modernization Program has continued to provide new information technology\ncapabilities and the related benefits to both the IRS and taxpayers. Since January 2011, the IRS\nhas implemented new versions of the current CADE and MeF systems and the Account\nManagement Services system. Additionally, the IRS has continued making progress in preparing\nfor the deployment of the CADE 2 system.\n\nCurrent Customer Account Data Engine\nThe current CADE system is a component of the Modernization Program. It consists of\nmodernized databases and related applications that work in conjunction with the IRS Master\nFile System. Current CADE Release 6.2 was deployed in January 2011 to incorporate Tax\nYear 2010 tax law changes affecting individual taxpayers and to provide technical improvements\nto the infrastructure and availability of the CADE system. From January through May 2011, the\ncurrent CADE system processed over 39.9 million tax returns and issued more than 35.1 million\nrefunds totaling in excess of $65.6 billion.\nThe current CADE system is in the process of transferring accounts back to the IRS Master File\nin preparation for the transition to the CADE 2 system. As of May 2011, the IRS migrated over\n69 million accounts and was on track to complete the migration process by the end of June 2011.\nOnce the migration of the current CADE to CADE 2 system is complete, the current CADE\nsystem will be taken offline.\n\nCustomer Account Data Engine 2\nThe CADE 2 Program is the top information technology modernization project in the IRS. The\nCADE 2 strategy involves three phases:\n        Transition State 1. Modifies the Individual Master File from a weekly cycle to daily\n        processing, establishes a new relational database to store all individual taxpayer account\n        information, and provides management tools to more effectively use data for\n        compliance and customer service. The IRS plans to implement Transition State 1 in\n        January 2012.\n        Transition State 2. Launches a single processing system where applications directly\n        access and update the taxpayer account database. It will continue efforts toward\n        addressing previously identified financial material weaknesses. The IRS plans to\n        implement Transition State 2 in January 2014. During a June 16, 2011, meeting with\n        IRS Modernization executives, the TIGTA learned that a lack of funding may delay\n        delivery of this phase. The IRS is working to identify funding it could use to begin\n        high-level planning efforts.\n        Target State. Consists of a single system using elements of the Individual Master File\n        and the current CADE system, eliminating all transitional applications used to link the\n\n                                                                                           Page 5\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n         current CADE system, Individual Master File, and the Integrated Data Retrieval\n         System. The complete solution is also planned to address all the financial material\n         weaknesses. As of April 28, 2011, the IRS had not established a Target State\n         implementation date.\nThe IRS established the CADE 2 Program Management Office to provide state-of-the-art\nindividual taxpayer account processing and technologies to improve service to taxpayers. The\nCADE 2 Program Management Office plans to create a modernized processing environment\nwhere applications both access and update an authoritative relational database to manage all\nindividual taxpayer accounts. To assist in this effort, the IRS established two systems\ndevelopment projects (Daily Processing and Database Implementation) and completed several\nprototypes. The objective of each prototype was to demonstrate confidence in the CADE 2\napproach by verifying system viability and performance and defining components to serve as the\nfoundation for development activities.\nWith the \xe2\x80\x9cgo-live\xe2\x80\x9d date for Transition State 1 fast approaching, the IRS continues to work on\nensuring the CADE 2 system is successfully deployed by dividing the processing framework into\nmanageable segments. The IRS also developed a set of guiding principles that will help enable a\nseamless and successful \xe2\x80\x9cgo live\xe2\x80\x9d and post-implementation support for Transition State 1. Some\nof these principles include:\n   \xe2\x80\xa2   Ensuring the most critical components with the highest impact/risk are prioritized in\n       order to increase the likelihood of overall project success.\n   \xe2\x80\xa2   Including people, processes, and technology in discussions about change.\n   \xe2\x80\xa2   Establishing a central readiness team to monitor progress and ensure key messages are\n       consistently communicated throughout the organization.\n\nModernized e-File\nThe MeF system streamlines tax return filing processes and reduces the costs associated with\npaper tax returns. The first phase of the MeF system (Release 6.1) for individual income tax\nreturns included the U.S. Individual Income Tax Return (Form 1040), Application for Automatic\nExtension of Time to File U.S. Individual Income Tax Return (Form 4868), and 21 forms and\nschedules related to the Form 1040 for Tax Year 2009. The IRS first began accepting individual\ntax returns through the MeF system in February 2010.\nThe second phase of the MeF system (Release 6.2) for individual income tax returns was\nimplemented during the 2011 Filing Season. Release 6.2 does not provide for the filing of any\nadditional tax forms or schedules. The primary difference between the functionality of\nReleases 6.1 and 6.2 is the ability for individual taxpayers to file prior year tax returns. For\nexample, for the 2011 Filing Season, individual taxpayers will be able to file both their Tax\nYears 2009 and 2010 tax returns using the MeF system.\n\n                                                                                           Page 6\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nReturns submitted through the MeF system have an average of 8 percent processing error rate,\ncompared to 19 percent for transcription-based paper processing. As of May 31, 2011, the IRS\naccepted 9.8 million individual tax returns transmitted through the MeF system for processing, in\naddition to the 6.3 million corporate, partnership, and exempt organization returns and forms\naccepted. The third phase of the MeF system (Release 7.0) is planned for deployment in\nFiscal Year 2012 and includes the rollout of over 125 remaining Forms 1040, including the\nIncome Tax Return for Single and Joint Filers With No Dependents (Form 1040 EZ). The IRS\nplans to spend about $67.2 million on this release of the MeF system.\n\nAccount Management Services\nThe Account Management Services system provides IRS employees with the tools to access\ninformation quickly and accurately in response to complex customer inquiries. The final\nAccount Management Services system release, Release 2.1, provided all users (approximately\n40,000) with the ability to view correspondence images online and on demand. Direct access to\nview images reduced case cycle time from 10\xe2\x80\x9314 days to zero. In May 2011 alone, the Account\nManagement Services system processed over 234,000 correspondence image view requests. The\ncumulative total of correspondence image view requests exceeded 2.7 million since its\ndeployment in February 2010.\n\nThe Modernization Program Demonstrates Improvement in Delivering\nPlanned Capabilities\nThe Modernization Program continues to help improve IRS operations and has demonstrated\nsuccesses in improving business practices by implementing new information technology\nsolutions. Management of project costs and schedule has shown a drastic improvement, but\nrequirements development and management continues to need attention.\n\nProcess improvement activities\nThe IRS has a sophisticated Enterprise Life Cycle development process that it uses for large\napplication development projects. However, this process contains several development phases\n(i.e., milestone reviews), can require extensive documentation, and may take several months to\nyears to complete. Therefore, the IRS Enterprise Life Cycle Project Management Office is\nworking within the applications development offices to develop more streamlined lifecycle\nprocesses for smaller, faster paced developments. For this reason, the MITS organization has\ntaken steps to implement an iterative approach to its systems development activities.\nThe iterative path is an adaptive development approach in which projects start with initial\nplanning and end with deployment, with repeated cycles of requirements discovery,\ndevelopment, and testing in between. This development path is well suited to projects and\nenvironments that change rapidly, because each iteration presents new opportunities for the\n\n                                                                                          Page 7\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\nproject to adapt to change. Some benefits of implementing the iterative path approach include\nstreamlining the number of development phases, involving process owners and business\nstakeholders to continuously provide feedback, and prototyping (i.e., developing an early version\nof the solution to see if it meets needs).\nDuring FY 2011, we conducted several audits of the IRS\xe2\x80\x99s systems development activities and\nfound the IRS made progress adopting the iterative path.\n    \xe2\x80\xa2   During our review to determine the effectiveness of the CADE 2 prototype efforts, we\n        found that the CADE 2 Program Management Office created five prototype teams to\n        demonstrate confidence in the CADE 2 solution by verifying system viability and\n        performance and by defining components that will serve as the foundation for\n        development activities. In addition, the prototype teams generally managed their\n        objectives effectively and took steps to overcome risks identified during prototype\n        planning.6\n    \xe2\x80\xa2   During our review to determine whether the IRS adequately tested and secured the\n        IRS2GO smartphone application, we determined the IRS2GO application adequately\n        protects data transmissions and personally identifiable information. The IRS smartphone\n        application provides tax tips to the smartphone user and allows the user to check on the\n        status of his or her tax refund.7\n    \xe2\x80\xa2   During our review to evaluate the MITS organization\xe2\x80\x99s planning effort to implement the\n        Affordable Care Act, we identified that the Program Management Office implemented\n        processes to ensure that the systems it develops meet the businesses needs by involving\n        business unit representatives in the development and decisionmaking processes. We also\n        found that the Program Management Office collaborates with its internal and external\n        stakeholders. For example, the Program Management Office staff conducted periodic\n        joint meetings with the internal stakeholders such as the following: the Large Business\n        and International, Small Business/Self-Employed, and Tax Exempt and Government\n        Entities Divisions. Topics of discussions include requests for approval to use a particular\n        development process and approval to begin projects and action items such as working to\n        minimize the impact to filing season projects.8\n\nModernization Program cost and schedule management\nIn our FY 2010 assessment of the Modernization Program,9 we reported that 3 (38 percent) of the\n8 project milestones were not delivered within the accepted 10 percent variance in schedule.\n\n\n6\n  See Appendix IV, Number 4.\n7\n  See Appendix IV, Number 23.\n8\n  See Appendix IV, Number 25.\n9\n  See Appendix IV, Number 3.\n                                                                                            Page 8\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nThis fiscal year, the IRS delivered all 7 of its projects milestones on time and almost all were\ncompleted within the accepted 10 percent variance for cost. The exception to this was for MeF\nRelease 7. This project experienced a 24 percent cost variance.\nAppendix V presents the cost and schedule variance for Modernization Program project releases\ndelivered from October 2010 through June 2011.\n\nSome systems development disciplines continue to need attention\nDuring the past year, the TIGTA reported on the adequacy of the development and management\nof the Modernization Program and other modernization project requirements. These issues\nincluded adequacy of controls for managing the development of requirements, documentation\nand controls over requirements testing and traceability, and updating project work breakdown\nschedules. These issues were present in five Modernization Program reports on the CADE 2\nProgram and the MeF Program.\nCADE 2 Prototypes \xe2\x80\x93 The CADE 2 Program Management Office took steps to formulate and\ninitiate prototype efforts. These steps included development of program guidance and prototype\nprocesses and steps to identify and manage risks related to the prototyping efforts. Further, the\nCADE 2 Program Management Office took actions to monitor and evaluate progress in\naccomplishing the prototype objectives. However, some of the prototype teams did not initially\ndocument test plans, test results, and issues logs. Without these documents, relevant business\nrequirements needed for testing may be omitted, there may not be sufficient evidence to show all\nnecessary requirements were tested, and similar issues could recur.10\nCADE 2 Program Management Office \xe2\x80\x93 The CADE 2 Program Management Office was\nestablished with a mission to provide state-of-the-art individual taxpayer account processing and\ntechnologies to improve service to taxpayers and enhance IRS tax administration. The CADE 2\nProgram Management Office issued guidelines for key systems development processes and\nconvened numerous meetings to provide oversight for the work being performed. As status\nmeetings were convened, it became evident to CADE 2 Program Management Office officials\nthere was a significant challenge involved in assembling diverse processes into a comprehensive\nset of activities that would be well understood and consistently applied across the Program and\nthe projects. While Program guidelines specified the systems development procedures, the\nguidelines and the actual processes performed by the project teams were not always consistent.\nFor example, the CADE 2 Program Management Office did not initially have a Program Test\nPlan and, as a result, experienced multiple delays in its development during the course of our\nreview. If the CADE 2 project teams do not receive sufficient guidance on developing their test\nplans, the CADE 2 system may not be properly tested and the system may not work as intended\n\n\n\n10\n     See Appendix IV, Number 4.\n                                                                                           Page 9\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\nwhen deployed into IRS operations. During the course of our review, the IRS developed the\nrequired Program Test Plan.11\nCADE 2 Daily Processing \xe2\x80\x93 The CADE 2 Daily Processing project is not a new application\ndevelopment project. Instead, it will enhance the existing IRS Master File, currently processing\non a weekly schedule, and make it daily processing. By moving to daily processing, the CADE 2\nDaily Processing project will provide immediate and obvious benefits, including faster refunds to\ntaxpayers, faster posting of payments, and more efficient adjustments to taxpayer accounts.\nOur review determined the CADE 2 Daily Processing project has steadily progressed from\nproject initiation (Milestone 1) through Physical Design (Milestone 4a). As a result, the IRS is\ncloser to achieving one of its modernization goals, daily processing of taxpayer accounts.\nHowever, the CADE 2 Daily Processing business rules were not gathered and completed as\nrequired and were still being developed after the December 2010 Milestone 3 exit. For example,\nwhen the Milestone 3 exit occurred, the business rule that determines eligibility of accounts for\ndaily processing was not developed. Additionally, prior to the Milestone 4a exit, 16 business\nrules were not written as required by the Enterprise Life Cycle. The risk of incomplete business\nrules could contribute to untraced requirements, which may adversely impact systems design and\ntesting activities.12\nCADE 2 Database Implementation \xe2\x80\x93 As part of the CADE 2 Transition State 1, the IRS\nestablished the Database Implementation project to move it away from operating in two tax\nprocessing environments and to maintain a single system of record for all individual taxpayer\naccounts. The primary deliverable of the CADE 2 Database Implementation project is a\nrelational database that will house individual taxpayer account data, currently being processed by\nthe IRS Master File and current CADE system. The CADE 2 Database Implementation team\nmade progress towards implementing this new project and providing IRS employees with the\nability to view updated taxpayer account information online. However, the work breakdown\nstructure used to define and group project tasks and define the scope of the project was not\ncomprehensive in including all activities through Milestone 5.13\nMeF \xe2\x80\x93 In our report on the development of MeF Release 6.2, we reported that improvements are\nneeded for tracking performance issues. Specifically, internal matrices captured performance\nenhancements; however, there was either inadequate or no support documentation for performing\nand tracking work or for showing that necessary corrective action was taken. As a result, the\nTIGTA was unable to validate whether captured performance elements identified during the\n2010 Filing Season were ever resolved. In addition, the IRS did not follow the MeF Risk\nManagement Plan, which requires all issues and candidate risks to be entered into the Item\nTracking Reporting and Control System to ensure monitoring and control by external\n\n11\n   See Appendix IV, Number 9.\n12\n   See Appendix IV, Number 7.\n13\n   See Appendix IV, Number 8.\n                                                                                          Page 10\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nstakeholders. During our review of the administration and oversight of the MeF Program, we\nidentified several issues and risks that the IRS did not properly track. The lack of adherence to\nguidance negatively impacts the IRS\xe2\x80\x99s ability to efficiently monitor and track issues that are\ncritical for external stakeholder awareness.14\nWe also recently completed an audit to determine whether individual income tax returns will be\naccurately and timely processed and whether sufficient progress is being made to replace the\nLegacy e-File system for individual tax returns in the 2013 Filing Season. We reported that\nprocesses used to test and monitor the MeF system do not ensure MeF system business rules\ndesigned to validate basic requirements on a tax return are working as intended. As a result, the\nIRS continues to have limited assurance that the MeF system is accurately processing individual\ntax returns. Ineffective or insufficient monitoring of tax return processing increases the risk that\ntax returns processed through the MeF system will be erroneously accepted or rejected. This risk\nwill grow significantly as the volume of tax returns processed through the MeF system increases\nand the types of forms and schedules are expanded. In addition, lower than expected tax return\ntransmitter participation and tax return volumes raise significant concern regarding the IRS\xe2\x80\x99s\nability to fully replace the Legacy e-File system for the 2013 Filing Season.15\n\nThe Modernization Program Addressed Process and Control\nWeaknesses\nIn last year\xe2\x80\x99s assessment report, we reported that the IRS had plans to refocus the Modernization\nProgram, especially as it related to CADE 2 Program activities. At that time, we believed the\nIRS should continue to consider the overall Modernization Program as a material weakness until\nit could demonstrate success with the CADE 2 system. In response to our report, IRS\nmanagement commented the IRS is at a key point in the Modernization Program and is well on\nthe way to successfully demonstrating that the CADE 2 system can operate securely and\neffectively.\nWhen the IRS agreed to declare the Modernization Program as a material weakness in Calendar\nYear 1995, it set up an Action Plan that listed all of the management and control weaknesses that\nneeded improvement. The goal of the Action Plan was to \xe2\x80\x9cimprove IRS modernization\nmanagement controls and processes to consistently improve delivery of systems with expected\nfunctionality within budget and on time that will dramatically improve both internal operations\nand services to taxpayers.\xe2\x80\x9d The Action Plan included identifying gaps and weaknesses,\nestablishing corrective actions, monitoring progress, and identifying continuous improvement\nopportunities.\n\n\n\n14\n     See Appendix IV, Number 6.\n15\n     See Appendix IV, Number 28.\n                                                                                            Page 11\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nThe key indicators used to evaluate the progress on the Action Plan are: effective management\nprocesses will be delivery of systems on time and within budget (variance of less than 10 percent\nfor estimates of the next Milestone at the prior Milestone exit); no significant decrease in\nfunctionality; and relatively clean management process audits from the TIGTA and from the\nreview of the Modernization Annual Expenditure Plan by the Government Accountability Office.\nManagement processes include risk management, configuration management, cost and schedule\nestimating, management reporting, human capital management, Enterprise Life Cycle, and\nseveral other agreed-to management processes as reported every month by the IRS.\nIn addition to the Action Plan, the IRS instituted a program to monitor action plans built on the\nCapability Maturity Model Integration16 framework for the control weaknesses that needed\nimprovement to ensure they were managed in accordance with agreed metrics. At the request of\nthe IRS, we completed work to determine whether the Applications Development function\xe2\x80\x99s\nQuality Assurance Program Office ensures development projects implement a coordinated set of\nactivities that conform to organizational policies, processes, and procedures that meet the\nstandards of Capability Maturity Model Integration \xe2\x80\x93 Development maturity level 2.17 We found\nthe Internal Revenue Manual included the quality assurance requirements. Further, the Quality\nAssurance Program Office\xe2\x80\x99s processes, guidance, and procedures generally meet the\nrequirements for quality assurance. In addition, qualified specialists were employed to perform\naudits to determine the level of compliance with the organizational standards, processes, and\nprocedures, and feedback was provided to project staff and managers on the results of the quality\nassurance activities. The Quality Assurance Program Office met the annual audit plan goals in\nFYs 2008 and 2009 by performing 65 audits and 79 audits, respectively. The IRS received\nexternal accreditation for maturity level 2 in November 2010, indicating that the Applications\nDevelopment function exhibits a managed level of maturity with basic project management\ncapability focus in key process areas. The IRS plans to achieve maturity level 3 (a more\n\xe2\x80\x9cdefined\xe2\x80\x9d level of maturity with process standardization) in FY 2013.\nDuring FY 2011, the Chief Technology Officer and other MITS executives met with the TIGTA\nto request support to downgrade the IRS\xe2\x80\x99s Modernization Program material weakness. The\nMITS organization\xe2\x80\x99s position is that the IRS has met all of the conditions and completed all\nmanagement and control improvements from the original and revised action plans the IRS\ndefined to resolve the material weakness. In its June 2011 request letter to the Department of the\nTreasury, IRS management cited several key accomplishments, such as implementing a\nhigh-priority initiative process to address ongoing improvements, implementing the previously\ndiscussed Capability Maturity Model Integration framework, and sustaining performance\ndelivering systems on time and within budget (see the prior section on cost and schedule\nmanagement).\n\n16\n   The Capability Maturity Model Integration defines industry best practices for management software development\nprojects as set forth by industry experts.\n17\n   See Appendix IV, Number 5.\n                                                                                                       Page 12\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nThe TIGTA has been involved in audits of the Modernization Program since FY 2000, and we\nhave seen the improvement in the management and controls of the program. While our audit\nreports have pointed out (and continue to do so) concerns and issues with the implementation of\nthe management controls, overall we have seen significant progress in the management of the\nModernization Program. Significant systems such as the CADE 2, Account Management\nServices, and MeF systems have been developed and rolled out to improve the tax return\nprocessing environment, and additional improvements and upgrades are being developed and\nimplemented.\nAs such, we concur that the IRS has substantially completed the improvement items listed in the\nAction Plan and has met the indicators used to evaluate its progress. We would support the\nrequest to downgrade the Modernization Program from a material weakness to a deficiency.\nThis does not mean that the Modernization Program no longer has concerns and issues, but the\nimprovements put in place (and reviewed by the TIGTA and the Government Accountability\nOffice) have generally improved the management of the Modernization Program. We would\nsuggest that the IRS consider the Modernization Program to be a high-risk area and continue to\nstress improvements in processes and performance. IRS management indicated that once the\nModernization Program achieves Capability Maturity Model Integration maturity level 3, it will\nseek to close this deficiency.\n\nInformation Security Background\nThe IRS relies extensively on its computer systems to carry out the demanding responsibilities of\nadministering our Nation\xe2\x80\x99s tax laws, including the processing of Federal tax returns. According\nto the IRS Data Book, 2010, the IRS received more than 230 million tax returns, of which\n141 million returns were from individual taxpayers. As computer usage continues to be\ninextricably integrated into the IRS\xe2\x80\x99s core business processes, the need for effective information\nsystem security becomes essential to ensure that data is protected against inadvertent or\ndeliberate misuse, improper disclosure, or destruction and that computer operations supporting\ntax administration are secured against disruption or compromise.\nThe IRS, like all other Federal Government entities, faces the daunting task of securing its\ncomputer systems against the growing threats of cyber attacks. According to the Office of\nManagement and Budget\xe2\x80\x99s FY 2010 report to Congress on the implementation of the Federal\nInformation Security Management Act, the number of cyber incidents affecting United States\nFederal agencies shot up 39 percent in FY 2010 when Federal agencies reported 41,776 cyber\nattacks. More recently in July 2011, the Pentagon acknowledged a serious data breach when a\nDepartment of Defense contractor suffered \xe2\x80\x9cone of its largest cyber attacks ever\xe2\x80\x9d when what it\nbelieves to be a foreign government stole 24,000 files containing sensitive data. Lastly, a\nJuly 2011 report from the National Security Council warns that international cybercrime has\nreached the upper echelon of threats to the security of the United States and poses a significant\nthreat to sensitive corporate and government computer networks.\n\n                                                                                           Page 13\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nFor FY 2011, the TIGTA cited that \xe2\x80\x9cSecuring the IRS\xe2\x80\x9d was the top management challenge for\nthe IRS. This priority designation was given due to increasing threats, both cyber and physical,\nagainst the IRS and the potentially expanding role of the IRS. Animosity towards tax collection\nis nothing new, though the threat vector has increased recently. For the IRS, the threat became\nreality when, in February 2010 in Austin, Texas, a disgruntled taxpayer flew his small aircraft\ninto a building partially occupied by the IRS with the intent of killing as many IRS employees as\npossible.\n\nSome Progress Is Being Made to Improve Information Security\nThe Cybersecurity organization within the MITS organization has primary responsibility for\nguiding the IRS in its efforts to protect computer systems and sensitive data and is responsible\nfor ensuring the IRS\xe2\x80\x99s compliance with Federal statutory, legislative, and regulatory\nrequirements governing measures to assure the confidentiality, integrity, and availability of IRS\nelectronic systems, services, and data. The Cybersecurity organization provides management\nand oversight for the IRS Information Technology Security Program. Its mission is to assure the\nsecurity and resilience of information technology systems and data by providing solutions to the\nsecurity risks encountered by business customers. The security environment in which the IRS\noperates is constantly changing. Third-party communications and new centers of communication\nhave merged to challenge the outdated environment formed more than a half a century ago.\nNevertheless, close collaboration and cooperation with all organizations remain crucial to\nmeeting the IRS\xe2\x80\x99s strategic goals.\nThe IRS is making some progress over information security and continues to place a high\npriority on efforts to improve its information security program. For example, in the IRS\xe2\x80\x99s\nStrategic Plan for FYs 2009 to 2013, one of the major trends affecting the IRS is the \xe2\x80\x9cexplosion\nin electronic data, online interactions, and related security risks.\xe2\x80\x9d Another example of the IRS\xe2\x80\x99s\ncommitment toward information security is the IRS\xe2\x80\x99s Information Technology Security Program\nPlan, issued in September 2009. The Information Technology Security Program Plan is designed\nto enhance collaboration, provoke thought and comment, and guide all security efforts across the\nIRS community. In addition, the Plan serves as a roadmap and a basis for benchmarking\ninformation security performance toward attaining security objectives. Lastly, senior leaders of\nthe IRS will be able to use the Security Program Plan as input to their strategic business planning\nprocess.\nDuring FY 2011, we conducted several audits on information security and found the IRS is\ntaking steps for securing technology.\n   \xe2\x80\xa2   During our review to determine whether IRS controls, policies, and procedures for\n       sensitive email messages to taxpayers adequately protected taxpayer data, we found the\n       IRS is using email to enhance customer service and provide a more expedient and\n       efficient way to exchange information. In addition, the IRS has effective controls to\n\n                                                                                           Page 14\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n         remove email accounts from the email system when the employee separates from the\n         IRS. In FY 2010, the IRS conducted monthly security assessments of its email servers.18\n     \xe2\x80\xa2   During our review to evaluate security over the IRS\xe2\x80\x99s use of wireless technologies and\n         the IRS\xe2\x80\x99s development of a smartphone application, IRS2GO, we found security\n         configurations were generally in place and working as intended.19\n     \xe2\x80\xa2   During our review to evaluate whether the IRS implemented access controls on its\n         Automated Insolvency System, we found the IRS established access controls, such as\n         automatic system lockout after three unsuccessful login attempts, good password\n         requirements, and restricting database access to only database administrators, which\n         limits who has access to the systems.20\n     \xe2\x80\xa2   During our review21 to evaluate whether the CADE 2 Program Management Office\n         planned and provided oversight for Transition State 1 design activities, we found that the\n         IRS planned enhanced security controls for the CADE 2 system and the Cybersecurity\n         organization was heavily engaged and proactive in its assigned role of managing all\n         aspects of CADE 2 system security. In addition, the IRS contracted with an independent\n         firm to complete a threat susceptibility analysis on the CADE 2 Transition State 1. The\n         contractor\xe2\x80\x99s report concluded that threats to the CADE 2 Transition State 1 by external\n         interfaces and databases appear to be minimal.22\n     \xe2\x80\xa2   During our review to determine whether adequate security controls have been established\n         for the International Business Machines Corporation (IBM) DB2 databases running on\n         the IBM z/OS operating system, we reviewed two applications (the Electronic Tax\n         Administration Marketing Database and the Tax Return Database) owned by the Wage\n         and Investment Division that share resources on the IBM mainframe to verify that the\n         implementation of these applications met IRS standards. Our analysis of system files and\n         system-generated reports verified that both applications met the IRS configuration and\n         security standards for the IBM z/OS operating system and the DB2 database.23\nHowever, computer security remains the top management challenge and continued vigilance is\nneeded to minimize security weaknesses throughout the IRS and ensure the IRS becomes a\nsecurity-conscious organization.\n\n\n\n\n18\n   See Appendix IV, Number 16.\n19\n   See Appendix IV, Number 23.\n20\n   See Appendix IV, Number 18.\n21\n   See Appendix IV, Number 9.\n22\n   See Appendix IV, Number 7.\n23\n   See Appendix IV, Number 26.\n                                                                                            Page 15\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\nComputer security remains as a material weakness\nThe Federal Managers Financial Integrity Act of 198224 requires that each agency conduct annual\nevaluations of its systems of internal accounting and administrative controls and submit an\nannual statement on the status of the agency\xe2\x80\x99s system of management controls. In the event that\nan agency determines the existence of shortcomings in operations or systems which severely\nimpair or threaten the organization\xe2\x80\x99s ability to accomplish its mission or to prepare timely and\naccurate financial statements, the Department of the Treasury directs the agency to declare a\nmaterial weakness on that particular area.\nIn Calendar Year 1997, the IRS designated computer security as a material weakness. The\ncomputer security material weakness compromises the accuracy and availability of the IRS\nfinancial information and places sensitive information regarding IRS operations and taxpayers at\nrisk. The IRS further categorized the computer security material weakness into nine\ncomponents: (1) network access controls; (2) key computer applications and system access\ncontrols; (3) software configuration; (4) functional business, operating, and program units\nsecurity roles and responsibilities; (5) segregation of duties between system and security\nadministrators; (6) contingency planning and disaster recovery; (7) monitoring of key networks\nand systems; (8) security training; and (9) certification and accreditation.\nAccording to the IRS, the IRS had closed or completed all planned actions for five of the nine\ncomponents: (1) network access controls (completed in July 2010); (2) functional business,\noperating, and program unit security roles and responsibilities (completed in March 2009);\n(3) segregation of duties between system and security administrators (closed in September 2005);\n(4) security training (closed in October 2008); and (5) certification and accreditation (closed in\nOctober 2008).\nSince June 2010, we conducted four audits related to the computer security material weakness.\nThe IRS agreed with the findings below and provided adequate corrective actions to address our\nfindings unless noted otherwise.\n       \xe2\x80\xa2   During our review of enterprise audit trails, we reported that, while the IRS has taken\n           several steps to improve its management of audit trails and has significantly increased its\n           staffing and funding for FY 2010, substantial efforts and sustained funding are needed to\n           address the audit trails portion of the computer security material weakness. We reviewed\n           20 major computer systems to determine the level of compliance with the IRS\xe2\x80\x99s audit\n           trail policy and guidance and found that events were not being adequately captured and\n           reviewed on many databases, applications, and operating systems because: (1) very few\n           systems have audit plans, (2) the IRS did not have adequate event capturing and report\n\n\n\n\n24\n     Pub. L. No. 97-255 (31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1106, 1108, 1113, 3512).\n                                                                                              Page 16\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n         generating software tools, (3) audit reports were not being generated, and (4) the IRS\n         determined that capturing required events could hurt system performance.25\n     \xe2\x80\xa2   During our review of the security roles and responsibilities component of the material\n         weakness, we found the IRS completed the necessary work on two of the six corrective\n         actions established to address this material weakness component. The other four\n         corrective actions pertained to: (1) document information technology security roles and\n         responsibilities, (2) develop and document day-to-day information technology security\n         procedures and guidelines, (3) conduct compliance assessments to verify and validate\n         security roles and responsibilities, and (4) establish metrics to measure successful\n         operations. Although the IRS made progress in correcting previously reported\n         information security weaknesses, lack of adherence to guidelines continues to jeopardize\n         the confidentiality, integrity, and availability of financial and sensitive taxpayer\n         information.26\n     \xe2\x80\xa2   During our review of the assessment of ongoing disaster recovery, we found the IRS\n         completed or will complete many of the corrective actions to address the contingency\n         planning and disaster recovery component of the material weakness. As a result, the IRS\n         will be downgrading this component during FY 2011.27\n     \xe2\x80\xa2   During our review of the IRS\xe2\x80\x99s Federal Financial Management Improvement Act of\n         199628 remediation plans for the period of January to September 2009, we found the IRS\n         has experienced difficulties in developing comprehensive remediation actions required to\n         resolve noncompliance related to computer security and reliably estimating the resources\n         and time necessary to implement remedial actions. Complete and reliable information is\n         critical to the IRS\xe2\x80\x99s ability to accurately report on the results of its operations to both\n         internal and external stakeholders, including taxpayers.29\nIn addition, during May 2010 to March 2011, the Government Accountability Office assessed\nwhether controls over key financial and tax processing systems are effective in ensuring the\nconfidentiality, integrity, and availability of financial and sensitive taxpayer information in\nconjunction with its audits of the IRS\xe2\x80\x99s FY 2010 and 2009 financial statements. The\nGovernment Accountability Office found that the IRS did not consistently implement controls\nthat were intended to prevent, limit, and detect unauthorized access to its financial systems and\ninformation. For example, the agency did not sufficiently (1) restrict users\xe2\x80\x99 access to databases\nto only the access needed to perform their jobs; (2) secure the system it uses to support and\nmanage its computer access request, approval, and review processes; (3) update database\n\n\n25\n   See Appendix IV, Number 12.\n26\n   See Appendix IV, Number 13.\n27\n   See Appendix IV, Number 22.\n28\n   Pub. L. No. 104-208, 110 Stat. 3009.\n29\n   See Appendix IV, Number 10.\n                                                                                            Page 17\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\nsoftware residing on servers that support its general ledger system; and (4) enable certain\nauditing features on databases supporting several key systems. In addition, 65 (about 74 percent)\nof 88 previously reported weaknesses remain unresolved or unmitigated.\nThe Government Accountability Office stated that until the IRS corrects the identified\nweaknesses, its financial systems and information remain unnecessarily vulnerable to insider\nthreats, including errors or mistakes and fraudulent or malevolent acts by insiders. As a result,\nfinancial and taxpayer information are at increased risk of unauthorized disclosure, modification,\nor destruction; financial data is at increased risk of errors that result in misstatement; and the\nIRS\xe2\x80\x99s management decisions may be based on unreliable or inaccurate financial information.\nThese weaknesses, considered collectively, were the basis for the Government Accountability\nOffice\xe2\x80\x99s determination that the IRS had a material weakness in internal control over financial\nreporting related to information security in FY 2010.\n\nContinued Emphasis and Attention Is Needed to Allow the Internal\nRevenue Service to Become a Security-Conscious Organization\nAs mandated by the Federal Information Security Management Act, we report annually on the\neffectiveness of the IRS information security program. The Office of Management and Budget\nidentified 10 information security areas to be evaluated under the Federal Information Security\nManagement Act review. Based on our work during the reporting period July 2009 to\nJune 2010, we determined the IRS Information Security Program was generally compliant with\nFederal Information Security Management Act legislation, Office of Management and Budget\nrequirements, and related information security standards. Specifically, the IRS met the level of\nperformance for three program areas: certification and accreditation, incident response and\nreporting, and remote access management. While the IRS was generally compliant with the\nFederal Information Security Management Act legislation, the program was not fully effective as\na result of conditions identified in the other seven program areas: configuration management,\nsecurity training, the process for managing weaknesses, identity and access management,\ncontinuous monitoring, contingency planning, and contractor systems/financial audit.\nIn addition, we identified some security weakness commonalities across several audits during\nour reporting period.\n   \xe2\x80\xa2   The IRS did not follow security evaluative processes prior to deploying systems and\n       technologies.\n           o During our review to determine whether General Support Systems security\n             controls have been effectively implemented to ensure Federal tax data are\n             protected, we found the IRS did not conduct adequate risk assessments prior to\n\n\n\n\n                                                                                          Page 18\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n                approving exceptions to required security controls on two General Support\n                Systems.30\n            o During our review to determine whether the IRS adequately tested and secured\n              the IRS2GO smartphone application that allows taxpayers to check the status of\n              their refunds, we found the IRS2GO application was made available to the public\n              prior to receiving authorization for release. Specifically, the security accreditation\n              and privacy impact assessment was approved after the January 21, 2011, release.31\n            o During our review to determine whether the IRS\xe2\x80\x99s current plans for increasing\n              authorized use of wireless technology at IRS facilities are in accordance with\n              Federal wireless security standards, we found that the wireless remote\n              configuration in use at the IRS had not been properly assessed or approved for use\n              in the IRS.32\n     \xe2\x80\xa2   The IRS did not always ensure security controls were implemented on its systems or\n         computer environment.\n            o During our review to determine whether the IRS adequately configured databases\n              operating in its nonmainframe environment to properly secure taxpayer data, we\n              identified high- and medium-risk security vulnerabilities on all 13 databases\n              reviewed. These vulnerabilities pertained to account management controls (e.g.,\n              default accounts, weak password settings), access privilege management controls\n              (e.g., powerful administrative privileges not assigned based on job functions), and\n              operating system protection controls (e.g., user access to source code).33\n            o During our review to evaluate whether the IRS implemented access controls on its\n              Automated Insolvency System application, we found employees had excessive\n              access privileges to the Automated Insolvency System application because duties\n              were not adequately separated among employees to prevent and detect\n              unauthorized activities and a role-based access control scheme was not adequately\n              implemented on the system.34\n            o During our review to determine whether IRS controls, policies, and procedures\n              for sensitive email messages to taxpayers adequately protected taxpayer data, we\n              found the IRS had not implemented an automated control to detect and prevent\n              sensitive tax data in unencrypted emails from being transmitted to those outside\n              the IRS. Prior to November 2007, the IRS maintained a long-standing policy that\n\n\n30\n   See Appendix IV, Number 11.\n31\n   See Appendix IV, Number 23.\n32\n   See Appendix IV, Number 19.\n33\n   See Appendix IV, Number 17.\n34\n   See Appendix IV, Number 18.\n                                                                                           Page 19\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n                  prohibited sending taxpayer data in emails to taxpayers or taxpayers\xe2\x80\x99\n                  representatives. The IRS relaxed its email policy in November 2007 when it\n                  approved the use of technology to encrypt emails to taxpayers, thereby protecting\n                  taxpayer data being sent to and received by taxpayers.35\nUntil the IRS continues to blend security into its business operations and processes, addresses\neach computer security material weakness component with the necessary resources and funding,\nand minimizes the existences of new security weaknesses, the IRS will continue to put the\nconfidentiality, integrity, and availability of financial and taxpayer information maintained and\nprocessed on its computer systems at risk.\n\nInformation Technology Operations Background\nThe Enterprise Operations\xe2\x80\x99 mission supports the MITS organization by providing efficient,\ncost-effective, secure, and highly reliable computing (mainframe and server) services for all IRS\nbusiness entities and taxpayers. The Enterprise Operations organization\xe2\x80\x99s Enterprise Computing\nCenter is responsible for providing support for the systems used to receive and process tax\nreturns and payments and all infrastructure servers enterprise-wide and application servers\nlocated in the 10 campuses and non-Enterprise Computing Center sites.\n\nThe Information Technology Operations Program Has Improved Its\nEfficiency and Effectiveness\nThe Information Technology Infrastructure Library\xc2\xae is a set of concepts and practices for\ninformation technology service management. The Information Technology Infrastructure\nLibrary focuses on the key service management principles pertaining to service strategy, service\ndesign, service transition, service operation, and continual service improvement.\nIn September 2010, the Chief Technology Officer outlined a goal to have the MITS organization\nimplement the Information Technology Infrastructure Library best practices over the next several\nyears. The MITS Process Re-Engineering Executive Steering Committee governs the\nimplementation of the Information Technology Infrastructure Library. Responsibility for\nimplementing key Information Technology Infrastructure Library concepts has been assigned to\nEnterprise Operations executives, with an implementation plan due in September 2011.\nIn addition, the Quality Assurance Program Office is part of the Applications Development\nfunction\xe2\x80\x99s effort in leading a MITS organization-wide initiative to use the Software Engineering\nInstitute\xe2\x80\x99s Capability Maturity Model Integration. The Capability Maturity Model Integration\nconsists of best practices that organizations follow to improve effectiveness, efficiency, and\nquality of their product and service development work. Specifically, the MITS organization is\n\n\n35\n     See Appendix IV, Number 16.\n                                                                                            Page 20\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\nplanning to use the Capability Maturity Model Integration-Development model to help improve\nits development and maintenance processes for both products and services.\nDuring FY 2011, we conducted several audits on information technology operations and found\nthe IRS is taking steps to improve operational efficiency and effectiveness.\n     \xe2\x80\xa2   During our review to evaluate the efficiency and effectiveness of the capacity and\n         performance management of the IRS mainframe computing environment, we found the\n         capacity management policy and procedures have incorporated Information Technology\n         Infrastructure Library best practice principles. We also found personnel responsible for\n         the capacity management of the IBM and Unisys mainframe environments are actively\n         monitoring mainframe performance against their own informal measures. The IBM\n         capacity managers create an annual capacity report, as well as various day-to-day\n         application-specific reports. The Unisys capacity managers create periodic reports on\n         daily, weekly, and weekend transaction processing.36\n     \xe2\x80\xa2   During our review to determine whether the Service Operations Command Center Branch\n         has effectively implemented Information Technology Infrastructure Library best\n         practices, we found the Service Operations Command Center Branch has incorporated the\n         Information Technology Infrastructure Library best practice principles of Event\n         Management, Incident Management, and Problem Management into its Concept of\n         Operations and policies and procedures. In addition, the Service Operations Command\n         Center Branch has made these best practices a part of the way it does business by\n         utilizing a Knowledge Database. Lastly, our review of Priority 1 and Priority 2 incident\n         tickets determined tickets worked by Command Center personnel were resolved within\n         documented service level agreement time periods.37\n     \xe2\x80\xa2   During our review to determine whether the Applications Development function\xe2\x80\x99s\n         Quality Assurance Program Office ensures development projects implement a\n         coordinated set of activities that conform to organizational policies, processes, and\n         procedures that meet the standards of the Software Engineering Institute\xe2\x80\x99s Capability\n         Maturity Model Integration \xe2\x80\x93 Development maturity level 2, we found the Quality\n         Assurance Program Office\xe2\x80\x99s processes, guidance, and procedures generally meet the\n         Capability Maturity Model Integration maturity level 2 requirements for quality\n         assurance.38\n     \xe2\x80\xa2   During our review to determine the effectiveness of the IRS efforts to address the critical\n         issue of sustaining the IRS information technology infrastructure, we found the\n         Sustaining Infrastructure Program developed and implemented a process for identifying,\n\n\n36\n   See Appendix IV, Number 27.\n37\n   See Appendix IV, Number 24.\n38\n   See Appendix IV, Number 5.\n                                                                                            Page 21\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n          reviewing, prioritizing, and making decisions on funding the replacement of aged\n          computer hardware as well as other critical infrastructure needs. The Sustaining\n          Infrastructure Program is significantly improved, and agreed-upon prior\n          recommendations are being implemented. The annual baseline amount allocated to the\n          Sustaining Infrastructure Program is approximately $150 million, and the program is\n          centralized to ensure the replacement of the IRS information technology infrastructure is\n          addressed corporately.39\nAs a result of implementing the best practices and consolidating security activities, the IRS\nreported $75 million in operational efficiencies gained in its FY 2012 budget request\njustification. While operational efficiencies have been reported, additional opportunities to\nimprove operations remain.\n\nActions have been taken to improve the energy efficiency of desktop computer\nequipment\nOn January 24, 2007, President George W. Bush signed Executive Order 13423, Strengthening\nFederal Environmental, Energy, and Transportation Management. The purpose of this policy\nwas to strengthen the environmental, energy, and transportation management of Federal agencies\nby \xe2\x80\x9cconducting their environmental, transportation, and energy-related activities under the law in\nsupport of their respective missions in an environmentally, economically, and fiscally sound,\nintegrated, continuously improving, efficient, and sustainable manner.\xe2\x80\x9d In July 2007, the\nDepartment of the Treasury established the Electronics Stewardship Program and\nImplementation Plan to ensure sustainable practices in the area of electronics and to provide\npolicy and guidance regarding acquisition, operations and maintenance, and end-of-life\nmanagement.\nExecutive Order 13423 requires Federal agencies to, in part:\n      \xe2\x80\xa2   Improve energy efficiency of agency facilities 3 percent annually through the end of\n          FY 2015 or 30 percent by FY 2015 compared to the FY 2003 baseline year, thereby\n          reducing greenhouse gas.\n      \xe2\x80\xa2   Acquire electronic products (at least 95 percent) that are an Electronic Product\n          Environmental Assessment Tool-registered product, unless there is no Electronic Product\n          Environmental Assessment Tool standard for such product, and enable ENERGY STAR\xc2\xae\n          features on agency computers and monitors.\nThe Electronic Product Environment Assessment Tool is a system that helps purchasers evaluate,\ncompare, and select electronic products based on their environmental attributes. ENERGY\nSTAR is a joint program of the Environmental Protection Agency and the Department of Energy\n\n\n39\n     See Appendix IV, Number 21.\n                                                                                            Page 22\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\ndesigned to help save money and protect the environment through energy efficient products and\npractices.\nDuring our review to determine whether the IRS has taken effective steps to ensure the\nacquisition, operation, and maintenance of energy efficient desktop computer equipment, we\ndetermined the IRS is purchasing energy efficient desktop computer equipment and has enabled\nan energy saving feature on computer monitors that puts the monitors in \xe2\x80\x9csleep mode\xe2\x80\x9d during\nperiods of inactivity.40\n\nOperational efficiency and effectiveness can be improved\nThe Clinger-Cohen Act of 199641 requires agencies to use a disciplined capital planning and\ninvestment control process to maximize the value of information technology investments and\nmanage the acquisition risk.\nDuring FY 2011, we conducted several audits on information technology operations and found\nopportunities for the IRS to improve operational efficiency and effectiveness.\n     \xe2\x80\xa2   During our review to evaluate the efficiency and effectiveness of the capacity and\n         performance management of the IRS mainframe environment, we found license costs for\n         the software products residing on the IRS mainframes are tied to the mainframe capacity,\n         or number of Millions of Instructions Per Second (allocated to the machines). A\n         whitepaper prepared by the IRS noted that there is an opportunity for the IRS to reduce\n         its software license costs by changing the measure it uses to calculate the capacity of its\n         mainframes from Millions of Instructions Per Second to Millions of Service Units. Had\n         the IRS made the conversion from a Millions of Instructions Per Second basis for\n         determining the capacity of its IBM mainframes to Millions of Service Units, the IRS\n         could have realized software licensing cost savings of $580,358, using the 10 percent\n         reduction estimate in the IRS whitepaper.42\n     \xe2\x80\xa2   During our review to determine whether the Service Operations Command Center Branch\n         has effectively implemented Information Technology Infrastructure Library best\n         practices, we found Command Center personnel should examine incident reports to\n         identify trends within the information technology infrastructure, Command Center\n         Branch management needs to conduct a baseline assessment of its staffing and workload,\n         the Service Operations Command Center Branch needs to have a documented strategic\n         plan to communicate its goals and priorities with milestone and target dates, and\n\n40\n   See Appendix IV, Number 20.\n41\n   Federal Acquisition Reform Act of 1996 (Information Technology Management Reform Act of 1996),\nPub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n42\n   See Appendix IV, Number 27.\n                                                                                                            Page 23\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n         personnel need customized training to effectively implement the Information Technology\n         Infrastructure Library.43\n     \xe2\x80\xa2   During our review to determine whether adequate security controls have been established\n         for the IBM DB2 databases running on the IBM z/OS operating system, we found the\n         security policies and configuration settings were in compliance with Government and\n         industry standards and effectively implemented.\n         However, in July 2010, the Cybersecurity organization purchased the IBM Guardium\n         software application to perform automated vulnerability scans of its databases. The\n         enterprise-wide software license covering 3,000 processors and the hardware needed to\n         perform automated vulnerability scans cost $3.3 million. The IRS originally anticipated\n         implementation by December 2010. However, by July 2011, the IBM Guardium\n         software application still had not been implemented enterprise-wide because of,\n         according to IRS management, other higher priorities and the lack of support needed\n         from several organizations. In June 2011, the IRS received an invoice for approximately\n         $700,000 to renew the annual software application license. This invoice was paid in\n         order to continue deployment and avoid penalties for a lapse in maintenance; however,\n         the application had not been fully implemented, resulting in an inefficient use of\n         resources.44\n     \xe2\x80\xa2   During our review to determine whether the Applications Development function\xe2\x80\x99s\n         Quality Assurance Program Office ensures development projects implement a\n         coordinated set of activities that conform to organizational policies, processes, and\n         procedures that meet the standards of the Software Engineering Institute\xe2\x80\x99s Capability\n         Maturity Model Integration \xe2\x80\x93 Development maturity level 2, we found the Quality\n         Assurance Program Office audit documentation and procedures need improvement.45\n     \xe2\x80\xa2   During our review to determine whether the IRS has taken effective steps to ensure the\n         acquisition, operation, and maintenance of energy efficient desktop computer equipment,\n         we determined the IRS has not established an implementation strategy to ensure timely\n         completion of applicable action items in the Electronics Stewardship Program and\n         Implementation Plan. For example, timely actions have not been taken to implement\n         power management (e.g., power down/sleep mode) functionality on desktop computers\n         (also includes laptop computers). Policies and procedures have not been established to\n         implement duplex (two-sided) printing on printers.46\n\n\n\n\n43\n   See Appendix IV, Number 24.\n44\n   See Appendix IV, Number 26.\n45\n   See Appendix IV, Number 5.\n46\n   See Appendix IV, Number 20.\n                                                                                          Page 24\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nMeasuring and reporting operational results can be improved\nIndustry best practices emphasize that identifying the appropriate measures, creating a process\nfor collecting and analyzing the data, and effectively using the data to guide and direct continued\nimprovement are essential to establishing a successful measurement process. Meaningful key\nperformance indicators should align with organizational goals and provide insight into the\nfollowing: Quality, Efficiency, Compliance, and Value. Also, metrics should be specific,\nmeasurable, attainable, realistic, and time driven. Metrics help to ensure that the process in\nquestion is running effectively and efficiently.\nDuring FY 2011, two audits we conducted identified opportunities to improve the measuring and\nreporting operational results.\n      \xe2\x80\xa2   During our review to evaluate the efficiency and effectiveness of the capacity and\n          performance management of the IRS mainframe environment, we found performance\n          measurement requirements in Defined-Service Agreements are not formally established\n          to facilitate the management and reporting of mainframe performance. Our review of the\n          20 Defined-Service Agreements found that the Enterprise Operations organization is not\n          consistently including measurable performance metrics such as availability, reliability,\n          performance, and capacity in these agreements. Only 4 of the 20 Defined-Service\n          Agreements contained any measurable performance metrics.47\n      \xe2\x80\xa2   During our review to determine whether the Service Operations Command Center Branch\n          has effectively implemented Information Technology Infrastructure Library best\n          practices, we found additional measures are needed to capture the improved efficiency\n          and effectiveness resulting from the Information Technology Infrastructure Library.48\n\n\n\n\n47\n     See Appendix IV, Number 27.\n48\n     See Appendix IV, Number 24.\n                                                                                           Page 25\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n                                                                                                  Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nOur overall objective was to assess the status of the IRS\xe2\x80\x99s Information Technology Program\nsince June 2010 as required by the IRS Restructuring and Reform Act of 1998.1 The scope of\nthis assessment covers information technology security, modernization, and operations and\nincludes the TIGTA audit reports that have been issued to the IRS from June 2010 through\nJuly 2011.\nI.      Determined and provided an overall assessment of the IRS\xe2\x80\x99s Information Technology\n        Program.\n        A. Assessed the Information Technology Security and Privacy issues. We\n           determined which are at high risk for delivering IRS program objectives and\n           protecting tax administration data by analyzing the TIGTA Security Directorate audit\n           report issues identified during the period June 2010 through July 2011. We also\n           reviewed the prior three annual assessment reports for any trends in security and\n           privacy issues.\n        B. Assessed Information Technology Modernization issues. We determined which\n           are at high risk for delivering IRS program objectives and protecting tax\n           administration data by analyzing the TIGTA Modernization Directorate audit report\n           issues identified during the period June 2010 through July 2011. We also reviewed\n           the prior three annual assessment reports for any trends in modernization issues.\n        C. Assessed Information Technology Operations issues. We determined which are at\n           high risk for delivering IRS program objectives and protecting tax administration data\n           by analyzing the TIGTA Operations Directorate audit report issues identified during\n           the period June 2010 through July 2011. Operations issues were not included in the\n           prior annual assessment reports.\n        D. Reviewed the TIGTA open audit inventory to identify ongoing audits of Information\n           Technology security, modernization, and operations. We contacted audit staff to\n           identify and clarify issues and obtain current estimates of report due dates.\n        E. Met with each audit director and the Assistant Inspector General for Audit to discuss\n           high-level messages or themes they determined are relevant and important to be\n           conveyed through this year\xe2\x80\x99s annual assessment report.\n\n\n1\n Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n                                                                                                             Page 26\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\n           F. Discussed with the applicable audit directors and Assistant Inspector General for\n              Audit whether the IRS\xe2\x80\x99s current information technology security and modernization\n              material weaknesses2 should remain or be downgraded.\n           G. Reviewed and summarized any relevant congressional testimony and high-level\n              briefings the TIGTA presented pertaining to IRS\xe2\x80\x99s information technology security,\n              modernization, and operations.\n           H. Reviewed the April 2011 Interim Filing Season Report.\nII.        Determined and summarized the results of any applicable oversight assessments of the\n           IRS\xe2\x80\x99s information technology security, modernization, and operations.\n           A. Obtained, reviewed, and summarized applicable studies, reports, and legislative\n              guidance from congressional committees.\n           B. Obtained, reviewed, and summarized applicable studies, reports, and guidance from\n              the IRS Oversight Board.\n           C. Obtained, reviewed, and summarized relevant Government Accountability Office\n              reports.\n           D. Summarized the results of any IRS assessments and status information pertaining to\n              the IRS\xe2\x80\x99s Information Technology security, modernization, and operations. We\n              reviewed key documents such as the Chief Technology Officer\xe2\x80\x99s position on\n              information technology material weaknesses, the IRS\xe2\x80\x99s Modernization Vision and\n              Strategy Program, MITS Business Value Chart, the IRS\xe2\x80\x99s Information Technology\n              Security Program Plan, the Business Systems Modernization Expenditure Plan, and\n              the Fiscal Year 2012 IRS budget request justification.\nInternal controls methodology\nInternal controls include the processes and procedures for planning, organizing, directing, and\ncontrolling program operations. They include the systems for measuring, reporting, and\nmonitoring program performance. We did not evaluate internal controls as part of this review\nbecause doing so was not necessary to satisfy our review objective.\n\n\n\n\n2\n    See Appendix VI for a glossary of terms.\n                                                                                           Page 27\n\x0c                      Annual Assessment of the Internal Revenue Service\n                               Information Technology Program\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nDiana M. Tengesdal, Acting Director\nDanny Verneuille, Director\nKimberly R. Parmley, Audit Manager\nCharlene L. Elliston, Lead Auditor\nCari D. Fogle, Senior Auditor\nMary L. Jankowski, Senior Auditor\nRyan M. Perry, Senior Auditor\nHung Q. Dam, Information Technology Specialist\nKevin Liu, Information Technology Specialist\n\n\n\n\n                                                                                     Page 28\n\x0c                    Annual Assessment of the Internal Revenue Service\n                             Information Technology Program\n\n\n\n                                                                        Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief, Agency-Wide Shared Services OS:A\nDeputy Commissioner of Operations SE:W\nDeputy Chief Information Officer for Strategy/Modernization OS:CTO\nAssociate Chief Information Officer, Affordable Care Act (PMO) OS:CTO:ACA\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Enterprise Network OS:CTO:EN\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Modernization Program Management Office OS:CTO:MP\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nDirector, Procurement OS:A:P\nDirector, Compliance OS:CTO:C\nDirector, CADE 2 Database Implementation OC:CTO:AD\nDirector, Program Management OS:CTO:AD:PM\nDirector, Privacy, Information Protection and Data Security OS:P\nDirector, Privacy, and Information Protection OS:PIP\nDirector, Cybersecurity Operation OS:CTO:C\nDirector, CADE 2/Health Care ACA OS:CTO:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Associate Chief Information Officer, Applications Development OS:CTO:AD\n       Director, Risk Management Division OS:CTO:SP:RM\n\n\n\n\n                                                                               Page 29\n\x0c                   Annual Assessment of the Internal Revenue Service\n                            Information Technology Program\n\n\n\n                                                                                  Appendix IV\n\n      Listing of Treasury Inspector General for Tax\n            Administration Reports Reviewed\n\n           Report\n         Reference or\n           (Audit)\nNumber     Number                      Report Title                      Report Issuance Date\n\n  1       2010-20-099   The Federal Student Aid Datashare Application    Final Report Issued\n                        Was Successfully Deployed, but Improvements\n                                                                         September 2010\n                        in Systems Development Disciplines Are\n                        Needed\n  2       2010-21-110   The Internal Revenue Service Should Strengthen   Final Report Issued\n                        Processes for Managing Recovery Act Funds\n                                                                         September 2010\n                        Used for the Health Coverage Tax Credit\n  3       2010-20-094   Annual Assessment of the Business Systems        Final Report Issued\n                        Modernization Program\n                                                                         September 2010\n  4       2011-20-001   Prototype Process Improvements Will Benefit      Final Report Issued\n                        Efforts to Modernize Taxpayer Account\n                                                                         November 2010\n                        Administration\n  5       2011-20-007   The Applications Development Function\xe2\x80\x99s          Final Report Issued\n                        Quality Assurance Program Office Can Make\n                                                                         February 2011\n                        Its Processes More Effective\n\n  6       2011-20-088   The Modernized e-File Release 6.2 Included       Final Report Issued\n                        Enhancements, but Improvements Are Needed\n                                                                         September 2011\n                        for Tracking Performance Issues and Security\n                        Weaknesses\n  7       (201120001)   The Customer Account Data Engine 2 Is            Draft Report Issued\n                        Making Progress Toward Achieving Daily\n                                                                         August 2011\n                        Processing, but Improvements Are Warranted\n                        to Ensure Full Functionality\n  8       2011-20-110   The Customer Account Data Engine 2 Database      Final Report Issued\n                        Implementation Project Made Progress in\n                                                                         September 2011\n                        Design Activities, but Improvements Are\n                        Needed\n\n\n                                                                                               Page 30\n\x0c                   Annual Assessment of the Internal Revenue Service\n                            Information Technology Program\n\n\n\n\n           Report\n         Reference or\n           (Audit)\nNumber     Number                       Report Title                      Report Issuance Date\n\n  9       (201020025)   The Customer Account Data Engine 2 Program        Draft Report Issued\n                        Management Office Implemented Systems\n                                                                          August 2011\n                        Development Guidelines; However, Process\n                        Improvements Are Needed to Address\n                        Inconsistencies\n  10      2010-10-065   Measurable Progress Has Been Made in              Final Report Issued\n                        Addressing Federal Financial Management\n                                                                          June 2010\n                        Improvement Act Noncompliance; However,\n                        Significant Challenges Remain\n  11      2010-20-063   Sensitive But Unclassified \xe2\x80\x93 Implementation       Final Report Issued\n                        of General Support Systems Security Controls\n                                                                          June 2010\n                        Needs Improvement to Protect Taxpayer Data\n  12      2010-20-082   Sensitive But Unclassified \xe2\x80\x93 Additional Actions   Final Report Issued\n                        and Resources Are Needed to Resolve the Audit\n                                                                          July 2010\n                        Trail Portion of the Computer Security Material\n                        Weakness\n  13      2010-20-084   More Actions Are Needed to Correct the            Final Report Issued\n                        Security Roles and Responsibilities Portion of\n                                                                          August 2010\n                        the Computer Security Material Weakness\n  14      2010-20-101   Treasury Inspector General for Tax                Final Report Issued\n                        Administration \xe2\x80\x93 Federal Information Security\n                                                                          September 2010\n                        Management Act (Non-Intelligence National\n                        Security Systems) Report for Fiscal Year 2010\n  15      2011-20-003   Treasury Inspector General for Tax                Final Report Issued\n                        Administration \xe2\x80\x93 Federal Information Security\n                                                                          November 2010\n                        Management Act Report for Fiscal Year 2010\n  16      2011-20-012   Additional Security Is Needed for the Taxpayer    Final Report Issued\n                        Secure Email Program\n                                                                          February 2011\n  17      2011-20-044   Security Over Databases Could Be Enhanced         Final Report Issued\n                        to Ensure Taxpayer Data Are Protected\n                                                                          May 2011\n  18      2011-20-046   Access Controls for the Automated Insolvency      Final Report Issued\n                        System Need Improvement\n                                                                          May 2011\n\n\n\n\n                                                                                                Page 31\n\x0c                   Annual Assessment of the Internal Revenue Service\n                            Information Technology Program\n\n\n\n\n           Report\n         Reference or\n           (Audit)\nNumber     Number                       Report Title                      Report Issuance Date\n\n  19      2011-20-101   Security Controls Over Wireless Technology        Final Report Issued\n                        Were Generally in Place; However, Further\n                                                                          September 2011\n                        Actions Can Improve Security\n  20      2010-20-056   Additional Efforts Are Needed to Implement        Final Report Issued\n                        the Electronics Stewardship Program and\n                                                                          June 2010\n                        Maximize the Energy Efficiency of Desktop\n                        Computer Equipment\n  21      2011-20-006   The Sustaining Infrastructure Program Is          Final Report Issued\n                        Significantly Improved and a Comprehensive\n                                                                          December 2010\n                        Information Technology Infrastructure Strategy\n                        Has Been Developed\n  22      2011-20-060   Corrective Actions to Address the Disaster        Final Report Issued\n                        Recovery Material Weakness Are Being\n                                                                          June 2011\n                        Completed\n  23      2011-20-076   The IRS2GO Smartphone Application Is Secure,      Final Report Issued\n                        but Development Process Improvements Are\n                                                                          August 2011\n                        Needed\n  24      2011-20-078   Service Operations Command Center                 Final Report Issued\n                        Management Can Do More to Benefit From\n                                                                          August 2011\n                        Implementing the Information Technology\n                        Infrastructure Library\n  25      2011-20-105   The Modernization and Information Technology      Final Report Issued\n                        Services Organization Is Effectively Planning\n                                                                          September 2011\n                        for the Implementation of the Affordable Care\n                        Act\n  26      (201120021)   The Mainframe Databases Reviewed Met              Draft Report Issued\n                        Security Requirements; However, Automated\n                                                                          August 2011\n                        Security Scans Were Not Performed\n  27      2011-20-074   Mainframe Computer Performance Is Being           Final Report Issued\n                        Actively Monitored, but Defined-Service\n                                                                          September 2011\n                        Agreements and Software Licensing Can Be\n                        Improved\n  28      (201140030)   Low Participation and Tax Return Volumes          Draft Report Issued\n                        Continue to Hinder the Transition of Individual\n                                                                          August 2011\n                        Income Tax Returns to the Modernized e-File\n                        System\n\n\n                                                                                                Page 32\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\n                                                                                                  Appendix V\n\n                     Project Cost and Schedule Variances\n\nThis table presents the cost and schedule variance for the Modernization Program project\nreleases1 delivered in FY 2011through June 2011.\n\n                                                          Current           Cost        Schedule         Schedule\n                           Current                         Cost           Variance      Variance         Variance\n        Release           Finish Date       Milestone      (000)        (Percentage)     (Days)        (Percentage)\n\n    Current CADE\n\n          6.2          January 14, 2011        4b             22,000         0%            -102            -6%\n\n    CADE 2\n\n     Trans State 1      April 18, 2011        3\xe2\x80\x934a            24,200         0%            -11             -6%\n\n    MeF\n\n          6.2           May 18, 2011          4b\xe2\x80\x935            13,000         0%             1              1%\n\n           7            April 26, 2011        3\xe2\x80\x934a            27,705       -24%3            0              0%\n\n    Source: Business Systems Modernization Monthly Performance Measures Report, issued July 5, 2011.\n\n\n\n\n1\n  See Appendix VI for a glossary of terms.\n2\n  A negative schedule variance indicates the milestone was completed before the planned date.\n3\n  According to the IRS, this variance resulted from lower than expected hardware and software costs.\n                                                                                                           Page 33\n\x0c                        Annual Assessment of the Internal Revenue Service\n                                 Information Technology Program\n\n\n\n                                                                               Appendix VI\n\n                              Glossary of Terms\n\n            Term                                          Definition\nAccount Management Services The Account Management Services project will modernize the\n                            capability to collect, view, retrieve, and manage taxpayer\n                            information.\nBest Practice                   A technique or methodology that, through experience and\n                                research, has proven to reliably lead to a desired result.\nBusiness Systems                The Business Systems Modernization Program, which began\nModernization                   in 1999, is a complex effort to modernize the IRS\xe2\x80\x99s\n                                technology and related business processes.\nCapability Maturity Model\xc2\xae      A structured process that helps organizations improve their\n                                abilities to consistently and predictably acquire and develop\n                                high-quality information systems. Organizations that have\n                                implemented Capability Maturity Model processes have seen\n                                dramatic improvements in their abilities to meet planned time\n                                periods, reduce errors, and increase value on dollars invested.\nCustomer Account Data           The foundation for managing taxpayer accounts in the IRS\nEngine (CADE)                   modernization plan. It will consist of databases and related\n                                applications that will replace the existing IRS Master File\n                                processing systems and will include applications for daily\n                                posting, settlement, maintenance, refund processing, and issue\n                                detection for taxpayer tax account and return data.\nCustomer Account Data           Creates a modernized processing and data-centric\nEngine 2 (CADE 2)               infrastructure that will enable the IRS to improve the accuracy\n                                and speed of individual taxpayer account processing, enhance\n                                the customer experience through improved access to account\n                                information, and increase the effectiveness and efficiency of\n                                agency operations.\nEnterprise Life Cycle           A structured business systems development method that\n                                requires the preparation of specific work products during\n                                different phases of the development process.\n\n\n                                                                                        Page 34\n\x0c                      Annual Assessment of the Internal Revenue Service\n                               Information Technology Program\n\n\n\n\n              Term                                        Definition\nFederal Information Security    Legislation which requires the Inspector General to perform\nManagement Act of 2002          an annual independent evaluation of each Federal agency\xe2\x80\x99s\n                                information security policies, procedures, and practices as well\n                                as evaluate its compliance with this law.\nFiling Season                   The period from January through mid-April when most\n                                individual income tax returns are filed.\nFiscal Year                     A 12-consecutive-month period ending on the last day of any\n                                month except December. The Federal Government\xe2\x80\x99s fiscal\n                                year begins on October 1 and ends on September 30.\nMaster File                     The IRS database that stores various types of taxpayer account\n                                information. This database includes individual, business, and\n                                employee plans and exempt organizations data.\nMaterial Weakness               Office of Management and Budget Circular A-123,\n                                Management\xe2\x80\x99s Responsibility for Internal Control, dated\n                                December 2004, defines a material weakness as any condition\n                                an agency head determines to be significant enough to be\n                                reported outside the agency.\nMilestone                       The \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision point in a project; it is sometimes\n                                associated with funding approval to proceed.\nModernized e-File               The Modernized e-File project develops the modernized,\n                                web-based platform for filing approximately 330 IRS forms\n                                electronically, beginning with the U.S. Corporation Income\n                                Tax Return (Form 1120), U.S. Income Tax Return for an\n                                S Corporation (Form 1120S), and Return of Organization\n                                Exempt From Income Tax (Form 990). The project serves to\n                                streamline filing processes and reduce the costs associated\n                                with a paper-based process.\nPlan of Action and Milestones   A requirement for managing the security weaknesses\n                                pertaining to a specific application or system. In addition to\n                                noting weaknesses, each Plan of Action and Milestones item\n                                details steps that need to be taken to correct or reduce any\n                                weaknesses, as well as resources required to accomplish task\n                                milestones and a correction timeline.\nRelease                         A specific edition of software.\n\n                                                                                        Page 35\n\x0c                      Annual Assessment of the Internal Revenue Service\n                               Information Technology Program\n\n\n\n\n            Term                                          Definition\nSoftware Engineering Institute   A federally funded research and development center operated\n                                 by Carnegie Mellon University and sponsored by the\n                                 Department of Defense. Its objective is to provide leadership\n                                 in software engineering and in the transition of new software\n                                 engineering technology into practice.\n\n\n\n\n                                                                                        Page 36\n\x0c'